Order SBOM `packages` to have "CPython" be first as the primary package

[rjb4standards]

Bug report

Bug description:

The SPDX SBOM shown does not meet NTIA minimum requirements, there is no creation info.
NTIA Minimum Info Requirements:
https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

Also, this sbom does not validate using the SPDX online validator:
https://tools.spdx.org/app/validate/

Please update the SBOM to meet the NTIA minimum elements and confirm that it is valid using the oinline validator tool so that it can be processed by existing tools.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Windows

[Eclips4]

cc @sethmlarson

[rjb4standards]

@sethmlarson feel free to reach out, I am one of the co-authors of the SPDX V 2.3 spec.
https://spdx.github.io/spdx-spec/v2.3/

Dick Brooks

[rjb4standards]

Here
SAG-PM_SBOM_V1_2_3.json
is an example SPDX V 2.3 SBOM that passes the online validation test:

[sethmlarson]

Hey @rjb4standards, thanks for opening this issue.

The SBOM that's checked-in to source control isn't the complete SBOM for CPython, it only tracks the metadata of bundled dependencies. The complete SBOM is assembled during the build and release process. You can download them from the release pages of 3.12.2 and onwards (click on the "SPDX" in the table). For example, the SBOM for the Python-3.12.3.tgz tarball is here.

[rjb4standards]

Perfect - this SBOM works fine. I have created a baseline Vulnerability Disclosure Report for this SBOM, based on the open source SBOM VDR schema; https://github.com/rjb4standards/REA-Products/blob/master/SAGVulnDisclosure.xsd

NOTE: I advise following the NTIA framing "convention" and make CPython the "primary component" (first component in SBOM) .
The current SBOM indicates that cachecontrol is the primary component see attached VDR for more details:
"ProductName": "cachecontrol",
"ProductVersion": "0.13.1",
pythonVDR.json

[sethmlarson]

Glad that worked for you @rjb4standards. The CPython SBOM uses the "DESCRIBES" relationship to indicate the primary component to be the CPython package, is there another way that we should be indicating the primary package? I wasn't able to find a reference for the ordering of the packages field having meaning in an SBOM.

[rjb4standards]

@sethmlarson the NTIA SBOM Framing document recommends that the first component in the SBOM is the primary component (product name), this approach works for both CycloneDX and SPDX - see page 8 and section 4.2 regarding "primary component"

https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf

[rjb4standards]

Knowing that the first component is the "product" makes it easier on those of us writing SBOM parsing tools - this eliminates the nuance of knowing each SBOM format's specific approach.

[StanFromIreland]

Is this superseded by #123038?

[sethmlarson]

@StanFromIreland No, let me change the title to make it more clear exactly what needs to happen to resolve this.

[rjb4standards]

Thanks, Seth. I'll be happy to test any changes made.
It' also easy to check for valid SPDX SBOMs using the online validator tool that Gary maintains:
https://tools.spdx.org/app/validate/